Upload File

certificate revocation/expiry status verification · security guide for cisco unified...

  • Home
  • Documents
  • Certificate Revocation/Expiry Status Verification · Security Guide for Cisco Unified Communications Manager, Release 11.0(1) 3 Certificate Revocation/Expiry Status Verification Support
4
Certificate Revocation/Expiry Status Verification This chapter provides a brief overview of how to check the status of the certificates generated for sessions in Cisco Unified Communications Manager Administration. The certificate service periodically checks for long lived sessions between Cisco Unified Communications Manager and other services. Long lived sessions have duration of six hours or more. The check is performed for the following long lived sessions: CTI Connections with JTAPI /TAPI applications. LDAP Connection between Cisco Unified Communications Manager and SunOne servers. IPSec Connections It also describes how to configure the enterprise parameter for verifying certificate revocation and expiry. The enterprise parameter Certificate Revocation and Expiry allows you to control the certificate validation checks. The revocation and expiry check parameter is enabled on the Enterprise Parameter page of Cisco Unified Communications Manager. The certificate expiry for the long lived sessions is not verified, when the enterprise parameter value is disabled. The certificate revocation service is active for LDAP and IPSec connections, when the Enable Revocation is selected on the Operating System Administration of Cisco Unified Communications Manager and revocation and expiry check parameter is set to enabled. The periodicity of the check for IPSec connections are based on the Check Every value. The revocation check for the certificate is not performed, if the Enable Revocation check box is unchecked. Certificate Revocation/Expiry Status Verification, page 1 Verify Certificate Status, page 2 Support for Delegated Trust Model in OCSP Response, page 2 Certificate Revocation/Expiry Status Verification This chapter provides a brief overview of how to check the status of the certificates generated for sessions in Cisco Unified Communications Manager Administration. The certificate service periodically checks for long lived sessions between Cisco Unified Communications Manager and other services. Long lived sessions have duration of six hours or more. The check is performed for the following long lived sessions: CTI Connections with JTAPI /TAPI applications. Security Guide for Cisco Unified Communications Manager, Release 11.0(1) 1

Upload: others

Post on 06-Oct-2020

4 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Certificate Revocation/Expiry Status Verification · Security Guide for Cisco Unified Communications Manager, Release 11.0(1) 3 Certificate Revocation/Expiry Status Verification Support

Certificate Revocation/Expiry Status Verification

This chapter provides a brief overview of how to check the status of the certificates generated for sessionsin Cisco Unified Communications Manager Administration. The certificate service periodically checks forlong lived sessions between Cisco Unified CommunicationsManager and other services. Long lived sessionshave duration of six hours or more. The check is performed for the following long lived sessions:

• CTI Connections with JTAPI /TAPI applications.

• LDAP Connection between Cisco Unified Communications Manager and SunOne servers.

• IPSec Connections

It also describes how to configure the enterprise parameter for verifying certificate revocation and expiry.

The enterprise parameterCertificate Revocation and Expiry allows you to control the certificate validationchecks. The revocation and expiry check parameter is enabled on the Enterprise Parameter page of CiscoUnified Communications Manager. The certificate expiry for the long lived sessions is not verified, whenthe enterprise parameter value is disabled.

The certificate revocation service is active for LDAP and IPSec connections, when the Enable Revocationis selected on theOperating SystemAdministration of CiscoUnified CommunicationsManager and revocationand expiry check parameter is set to enabled. The periodicity of the check for IPSec connections are basedon theCheck Every value. The revocation check for the certificate is not performed, if theEnable Revocationcheck box is unchecked.

• Certificate Revocation/Expiry Status Verification, page 1

• Verify Certificate Status, page 2

• Support for Delegated Trust Model in OCSP Response, page 2

Certificate Revocation/Expiry Status VerificationThis chapter provides a brief overview of how to check the status of the certificates generated for sessions inCisco Unified Communications Manager Administration. The certificate service periodically checks for longlived sessions between Cisco Unified Communications Manager and other services. Long lived sessions haveduration of six hours or more. The check is performed for the following long lived sessions:

• CTI Connections with JTAPI /TAPI applications.

Security Guide for Cisco Unified Communications Manager, Release 11.0(1) 1

Page 2: Certificate Revocation/Expiry Status Verification · Security Guide for Cisco Unified Communications Manager, Release 11.0(1) 3 Certificate Revocation/Expiry Status Verification Support

• LDAP Connection between Cisco Unified Communications Manager and SunOne servers.

• IPSec Connections

It also describes how to configure the enterprise parameter for verifying certificate revocation and expiry.

The enterprise parameter Certificate Revocation and Expiry allows you to control the certificate validationchecks. The revocation and expiry check parameter is enabled on the Enterprise Parameter page of CiscoUnified Communications Manager. The certificate expiry for the long lived sessions is not verified, when theenterprise parameter value is disabled.

The certificate revocation service is active for LDAP and IPSec connections, when the Enable Revocationis selected on the Operating SystemAdministration of Cisco Unified CommunicationsManager and revocationand expiry check parameter is set to enabled. The periodicity of the check for IPSec connections are basedon theCheck Every value. The revocation check for the certificate is not performed, if theEnable Revocationcheck box is unchecked.

Verify Certificate StatusThe following procedure provides the tasks that you perform to enable or disable the certificate validity check.

Procedure

Step 1 In Cisco Unified Communications Manager Administration, choose System > Enterprise ParametersThe Enterprise Parameters Configuration window displays.

Step 2 Under Certificate Revocation and Expiry section,a) From the Certificate Validity Check drop-down list box, select Enabled to enable the validity check.b) Enter the Validity Check Frequency (hours) value.

The default value is 24 hours. The minimum value is 6 hours and the maximum value is 576 hours.

Step 3 Click Save.Step 4 Click Apply Config.

The Apply Configuration Information dialog displays.

Step 5 Click Ok.The timers for DIRSYNC and CTI are restarted.

Support for Delegated Trust Model in OCSP ResponseOnline Certificate Status Protocol (OCSP) allows a device to obtain real-time information about the status ofa given certificate. Examples of certificate status are Good, Revoked, and Unknown.

Cisco Unified Communications Manager uses OCSP to validate third-party certificates that are uploaded intothe Cisco Unified Communications Manager trust store. Cisco Unified Communications Manager requiresan OCSP Responder URL to connect to the OCSP responder server over HTTP. It sends an HTTP request tothe responder to validate a certificate.

Security Guide for Cisco Unified Communications Manager, Release 11.0(1)2

Certificate Revocation/Expiry Status VerificationVerify Certificate Status

Page 3: Certificate Revocation/Expiry Status Verification · Security Guide for Cisco Unified Communications Manager, Release 11.0(1) 3 Certificate Revocation/Expiry Status Verification Support

Cisco Unified Communications Manager currently supports the Trusted Responder Model of OCSP, wherethe OCSP response is signed by a self-signed certificate of the OCSP server. This self-signed certificate isuploaded to the trust store before initiating an OCSP request. This certificate is used to verify the signatureon the OCSP response.

Cisco Unified Communications Manager 11.0 and later support the Delegated Trust Model (DTM) of theOCSP responder, where the OCSP responses are no longer approved by the self-signed certificate but areissued by a Certificate Authority (Root CA or Subordinate CA). The CA certificate validates the OCSPresponder certificates. The CA certificate that issued the OCSP responder certificate in Cisco UnifiedCommunications Manager trust store is required, instead of OCSP response signing certificate. When youreceive an OCSP response, the CA's certificate is used to validate the signature in the response.

In case of a DTM execution failure, the OCSP response is verified using the self-signed certificate.Note

Security Guide for Cisco Unified Communications Manager, Release 11.0(1) 3

Certificate Revocation/Expiry Status VerificationSupport for Delegated Trust Model in OCSP Response

Page 4: Certificate Revocation/Expiry Status Verification · Security Guide for Cisco Unified Communications Manager, Release 11.0(1) 3 Certificate Revocation/Expiry Status Verification Support

Security Guide for Cisco Unified Communications Manager, Release 11.0(1)4

Certificate Revocation/Expiry Status VerificationSupport for Delegated Trust Model in OCSP Response


DigiCert Certificate Policy, v. 44.9. Certificate revocation and suspension ..... 22 4.9.1. Circumstances for 4.9.2. Who Can Request Revocation ..... 24 4.9.3. Procedure for Revocation

Succession Revocation to Allowance

GMP - ecig-tools.com · Applicant: Audit Scope. Job No. Date of Evaluation. Verification Issue Date. Re-Evaluation Due Date Verification Expiry Date. Verification No: CN12/00007gm

Dale Cendali Trade Marks - accralaw.com file6.5 Partial Revocation/Cancellation p.12 6.6 Amendment in Revocation/Cancellation Proceedings p.12 6.7 Combining Revocation/Cancellation

Affidavit Proof. Revocation

Patent Strategy in Europe in view of the Unitary Patent ... · Consequences of Unitary Patent? 9 • One single right for all EU member states • unitary transfer • unitary revocation/lapse/expiry

Mobile IP Registration Revocation · Mobile IP Registration Revocation ThischapterdescribesRegistrationRevocationforMobile-IPandProxyMobile-IPandexplainshowitis configured

RevCast: Fast, Private Certificate Revocation over FM radioschulman/docs/ccs14-revcast-slides.pdf · Revocation in the PKI Trusted Root CAs C Certificate #12 Signed by CA: Revocation

Revocation of saved structure plan policies · 2012. 11. 20. · Appendix B - SEA of Revocation of West Midlands Regional Strategy Appendix B: West Midlands . Revocation of saved

Configure Multipoint Layer 2 Services · VCCV CV type 0x2 0x2 (LSP ping verification) (LSP ping verification) VCCV CC type 0x6 0x6 (router alert label) (router alert label) (TTL expiry)

Information Privacy Act 2000 - Victorian Legislation and ...€¦ · Section Page ii 24. Effect of revocation of approval or variation or expiry of approved code 26 PART 5—COMPLAINTS

Jurong Island Online Pass System (OPS)...– 1 Month before the expiry – 1 Week before the expiry – 1 Day before the expiry – The day after the expiry to inform them the pass

Md. State Revocation & Suspension List

X.509 Certificate and Certificate Revocation List (CRL ... · Infrastructure Certificate and Certificate Revocation List ... and Certificate Revocation List (CRL) Extensions ... requirements

Desal Revocation Presentation

Home | Werksmans Attorneys€¦ · Applicable BEE Code Verification Date Expiry Date 110% Level Three Contributor 10.92% 5.50% Yes No N/A Generic Scorecard Gazetted Codes 29617 30

Certificate Revocation

Opposition and revocation

Configuring Authorization and Revocation of Certificates ... Authorization and Revocation of Certificates in a PKI Thismoduledescribeshowtoconfigureauthorizationandrevocationofcertificatesinapublickey

Patent Expiry

KIDCS Summary Revocation Documents REDACTED_1

Paper 3 - Fundamentals of Laws and Ethics · 1. What is meant by Revocation? Explain the modes of Revocation of offer. 10 Answer: Revocation means taking back; revocation can be of

Linking-Based Revocation for Group Signatures: A … · Linking-Based Revocation for Group Signatures: A Pragmatic Approach for E ... of existing membership revocation ... known XSGS

Will Revocation

City Revocation letters

Eagleton Revocation Order (Redacted)_3.17.16redacted

Revocation 2.0

Configuring Authorization and Revocation of …...Configuring Authorization and Revocation of Certificates in a PKI Prerequisites for Authorization and Revocation of Certificates 2

Certificate revocation list

Guide to licensing services online for conveyancers · availability at any time. Published 1 June 2018. ... Expiry period for a security Verification Token ... (talk to your LINC

Certificate Revocation and Status Checking

PKI and Revocation Survey

Date of Expiry

Content Gateway Manager Help - Forcepoint · Online Help v Contents Bypassing verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Keeping revocation

Surrender and Revocation of Patents